AVET - AntiVirus Evasion Tool

AVET is an AntiVirus Evasion Tool, which was developed for making life easier for pentesters and for experimenting with antivirus evasion techniques. In version 1.1 lot of stuff was introduced, for a complete overview have a look at the CHANGELOG file. Now 64bit payloads can also be used, for easier usage I hacked a small build tool (avet_fabric.py).

The purpose of make_avet is to preconfigure a definition file (defs.h) so that the source code can be compiled in the next step. This way the payload will be encoded as ASCII payload or with encoders from metasploit. You hardly can beat shikata-ga-nai. Let's have a look at the options from make_avet, examples will be given below: -l load and exec shellcode from given file, call is with mytrojan.exe myshellcode.txt -f compile shellcode into .exe, needs filename of shellcode file -u load and exec shellcode from url using internet explorer (url is compiled into executable) -E use avets ASCII encryption, often do not has to be used Note: with -l -E is mandatory -F use fopen sandbox evasion -X compile for 64 bit -p print debug information -h help Of course it is possible to run all commands step by step from command line. But it is strongly recommended to use build scripts or the avet_fabric.py. The build scripts themselves are written so as they have to be called from within the avet directory:

Example 2 Usage without -E. The ASCII encoder does not have to be used, here is how to compile without -E. In this example the evasion technique is quit simple! The shellcode is encoded with 20 rounds of shikata-ga-nai, often enough that does the trick. This technique is pretty similar to a junk loop. Execute so much code that the AV engine breaks up execution and let the file pass.

Example 5, load with Internet Explorer This is a bit tricky and might not work on the first shot. The executable will start Internet Explorer and download the ASCII encoded shellcode. Then the shellcode will be read from the cache directory and if found executed. This was tested with Windows 7 only.

avet_fabric.py avet_fabric is an assistant, that loads all build scripts in the build directory (name has to be build*.sh) and then lets the user edit the settings line by line. This is under huge development. Example: